More in Community banks are feeling extreme pressure to keep pace with cutting-edge customer experiences offered by tech giants and sophisticated digital products being launched by big banks But a new app rushed through development could be laden with security pitfalls With no in-house app development team smaller banks are at the mercy of their provider said Al Pascual senior vice president of research and head of fraud and security at Javelin Strategy Research Every year our researchers somewhere find a ton of banking apps with something broken The issue is that every bank has to meet specific security needs but the demand to get an app to market puts pressure on outsourced app developers and therein a gap can form Developers may add code or features that while enhancing the user experience fail to pass security muster Banks are turning around apps like theyve never done historically said David Vergara head of security product marketing at OneSpan a Chicago-based banking cybersecurity and IT service provider But if you were to ask the app developers because theyre stressed if they had a choice about what they are going to focus on 10 times out of 10 its going to be user experience There are now over 6 000 consumer banking mobile apps in the US the highest amount ever in the market according to Malauzai Software an Austin Tex-based app developer that was recently acquired by the UK fintech giant Finastra Such a crowded field presents a tempting target for hackers A recent study of European apps found that several from major banks had a common flaw that could allow the theft of customer information including passwords and PIN codes Cybercriminals are moving from just hacking for volume and finding the path of least resistance to being more sophisticated and targeted in their approach Pascual said They are being very methodical and systematic in terms of how they build their profiles do their own research and share on the dark web The vulnerabilities extend to existing apps too Pascual said as updates may be made by vendor employees whose primary concern is not security Community banks relying on vendors then should start with setting some guidelines for app developers Pascual said There is much more of a focus as of late on either teaching developers to follow secure coding practices or to get them better tied into the security team so that the left hand knows what the right hand is doing he said Smaller banks should be vigilant about updates for apps they have licensed and determine if the app vendor has secure development operations Pascual added This can be achieved by annual vendor reviews he said The opportunity can also come during the search for a new mobile app provider while converting to a new core provider or if there are changes to be made to add new functionalities to existing apps When the tech team at Savings Bank of Walpole in New Hampshire gets an update from its app vendor for new mobile functionalities such as fingerprint identification technology they test the feature and consider how a potential fraudster might bypass it and break into the application The vendor can tell you This is what weve done with this new feature but you then have to take a look at it as a financial institution and decide whether or not it will work for you and your customers and your risk tolerance said Ingrid Hebert e-banking officer with the company The 415 million-asset bank uses Q2 as its mobile app provider But the bank has yet to reject a feature update from Q2 for security reasons When the bank sees a potentially risky feature it will create a better way to verify the customers identity In a new feature for external transfers the vendor allowed the customer to submit their request fund the external account and grant access to that external account and it was all an automated process Hebert said After testing the app the bank implemented a callback to the customer during one of the processes The industries outside of banking are dictating how we do banking she said So we have to provide customers with that user experience and make sure that its in a secure environment Community banks also have to strike a balance with adding levels of authentication for their customers Its the consumer that drives the balance between user experience and security measures said Jan Sterzinger e-services manager at Forward Financial Bank in Marshfield Wis The consumers themselves have it in their minds based on other apps that they see and interact with and they use what theyre willing to do to use an app Sterzinger said The 440 million-asset bank based is in discussions with its vendor Malauzai on creating a business app with added levels of security for riskier transactions Clear Mountain Bank in Bruceton Mills WVa conducts a yearly review of its mobile app vendor Fiserv and does a review whenever there is a product update The 597 million-asset bank reviews Fiservs operational audit reports financials and business continuity plans We have had a mobile app since 2012 said Kiley Jenkins the banks chief information officer We try to secure things as best as we can before we see the fraud